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Introduction 


Fault-tree analysis was first developed in 1961-62 by H. A. Watson of Bell Telephone 
Laboratories under an Air Force study contract for the Minuteman Launch Control System. 
The use of fault trees has since gained widespread support and is often used as a failure 
analysis tool by reliability engineers. Though conceptually simple, especially for those with a 
knowledge of basic circuit logic, the. fault tree can be a useful tool. Although many computation 
techniques have been developed, a single superior algorithm has not been discovered. Some 
algorithms are superior for some problems but inferior for others (ref. 1). In this paper a new 
algorithm is presented which is tailored for the analysis of fault trees used to model fault- 
tolerant architectures — in particular, fault trees where the dominant failure modes contain a 
small number of basic events (e.g., 1, 2, or 3). This paper also presents a new program called 
the Fault- Tree Compiler (FTC) which is based on this new solution technique. The program 
provides the user with an expressive language for defining his fault tree and automatically 
calculates the probability of the top event in the tree. The program can perform a sensitivity 
analysis with respect to any specified parameter of the fault tree, such as a component failure 
rate or a specific event probability. 

The motivation for the development of the Fault- Tree Compiler began with the observation 
that the Computer-Aided Reliability Estimation (CARE III) program (ref. 2) was often being 
used for the analysis of fault trees. Although CARE III can be used to solve fault trees, it 
was designed primarily to analyze complex reconfigurable systems where the fault-handling 
capabilities must be included in the reliability analysis. Therefore, it was not optimized 
for systems that can be described by a simple fault tree alone. The CARE III fault-tree 
code provided a minimal framework for the FTC mathematical solution technique. A more 
efficient solution technique which utilized an automatic pruning technique was developed and 
implemented in FTC. (The original CARE III algorithm required the user to manually prune 
the search space.) An error bound on the pruning technique has been derived which is presented 
in detail in this paper. The user interface to the program is a high-level language for describing 
fault trees. The improved solver and the Fault-Tree Compiler input language and sensitivity 
analysis capabilities provide a powerful fault-tree solver; in short, 

1. The FTC program has a simple yet expressive input language 

2. Automatic sensitivity analysis is provided 

3. The mathematical solution technique can be used to obtain accuracy to within a user- 
specified number of digits 

4. A hierarchical capability is provided which can simplify the preparation of the fault-tree 
input file and significantly reduce the program execution time 

5. FTC is capable of handling common mode events, where the same event may appear 
more than once in the fault tree 

The FTC solution algorithm was implemented in FORTRAN, and the user interface, in 
Pascal. The program executes on Digital Equipment Corporation (DEC) VAX computers 
running the VMS operating system and on computers with the Berkeley UNIX operating 
system. 

This paper is organized as follows. First, the reader is given a brief introduction to fault 
trees. Next, the user interface to the FTC program is given along with several example sessions. 
Finally, the mathematical basis of the program is given, including the new algorithm and a 
theorem which provides an error bound for the algorithm. 

A short tutorial on the construction of fault trees is provided. The tutorial will outline the 
basic gate types allowed by the FTC program and their use in describing an example system 
of interest. 

Fault-Tree Construction 

Fault trees are typically constructed by starting with the top event (usually representing 
some undesirable situation) and determining all possible ways to reach that event. This 
approach is often referred to as the top down or backward approach. An example of a bottom up 


or forward approach is the failure modes and effect analysis (FMEA), where the analyst starts 
with the different failure modes of the system components and traces the effects of the failures. 

An example fault-tree structure is shown in figure 1. The event of interest, referred to as the 
top event , appears as the top level in the tree. Only one top event is allowed. Basic events are 
the lowest level of the fault tree, and different combinations of basic events will result in the top 
event. In figure 1, the basic events are indicated by circles. The user associates a probability 
of occurrence with each basic event in the tree. Note that a basic event may appear more than 
once in the fault tree, in which case, it is referred to as a common mode event A useful feature 
of the FTC program is its ability to handle these common mode events. 



Events are combinations of basic events or other (lower) events. In figure 1 the output of 
the OR gate is an event. Typical fault-tree notation allows comment boxes to appear in the 
tree to describe an event. Though only two comment boxes appear in the example (to describe 
the hydraulic failure and the top event), boxes could have appeared above any event, basic or 
nonbasic. Logic gates delineate the causal relations which ultimately result in the top event. 
In the FTC program the following gates are allowed: 

The following short example illustrates the top down process by which a fault tree is 
constructed: 

The F-15C fighter has three primary weapon systems: heat- seeking missiles, radar missiles, and the 
gun. Occasionally the guns will be inoperable, due possibly to one or more separate events. The 
fault tree shown in figure 1 delineates the possible causes of in-flight gun no- fire. The preflight 
ground check includes the removal of several safety pins, including three pins which, once removed, 
will allow the gun to fire. A “rounds counter” on the plane determines the total number of rounds 
(bullets) to be fired. It is possible to completely restrict the firing of the gun with the proper rounds 
counter setting. The landing gear locked in the down position will also prevent the gun from firing. 
Additionally, loss of electric power to ignite the bullets or hydraulic power to rotate the barrels will 
completely inhibit the gun. Loss of hydraulic power may occur if the hydraulic lines are severed or 
the hydraulic fluid levels are low. 
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Gate symbol 

Gate name 

Result of gate 




AND 

The output occurs when all 
input events occur simul- 
taneously; an arbitrary 
number of input events are 
allowed 




OR 

The output occurs when one 
or more of the input events 
occur; an arbitrary number 
of input events are allowed 


| 


EXCLUSIVE OR 

The output occurs when one, 
but not both, of the input 
events occurs; only two input 
events are allowed 




m OF n 

The output occurs when m 
of n inputs occur; the number 
of inputs must be greater 
than or equal to m 


INVERT 

This gate performs a 
complement (applying 
DeMorgan's Law) on the input; 
the number of inputs must 
equal one 


It is not the goal of this paper to teach the construction of fault trees; however, this simple 
example illustrates several important elements of fault-tree modeling: 

1. All basic events must be independent. In probability theory, two events, A and B, are 
independent if 

P(AB) = P(A)P(B) 

It is important to note that it is often very difficult to establish independence of events. 
In this example, it is assumed that the safety pin removal and setting of the rounds 
counter are independent events, even though both are performed during the preflight 
ground check. 

2. Sequences of events cannot be modeled with the gates allowed by the FTC program. 
For many systems of interest, an event Z occurs if and only if event A occurs before 
event B. If event B occurs before event A, a different result is seen. At best, the analyst 
must define a basic event which is the result of some sequence of events and assign a 
probability to the basic event. 

3. Mutually exclusive events must be handled with care. Basic events cannot be mutually 
exclusive. For example, basic event A cannot be defined as Power on and basic event B 
defined as Power off. However, basic event A may be defined as Power on, and an 
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INVERT gate (which performs the probabilistic complement of the input) with basic 
event A as input may define the event Power not on. 

4. Typically, fault trees are developed to demonstrate the probability of some undesirable 
top event. A typical top event might be Catastrophic System Failure. Generally, it is 
much faster to enumerate the ways that a system will fail than it is to enumerate the 
ways a system will succeed. Occasionally, however, it is more advantageous to create a 
success tree. The FTC program makes no distinction between the trees; it simply solves 
for the probability of the top event in a tree. 

5. Basic events must be assigned a probability of occurrence. The FTC program also allows 
for failure rates to be assigned to basic events. The user must also supply a value for the 
mission time at which the probability of system failure will be evaluated. Parametric 
analysis is facilitated by allowing one basic event probability or rate to vary over a range 
of values. The syntax is described in the section “Fault-Tree Definition Syntax.” 

For more information on fault trees, reference 3 is recommended. The next sections discuss 
(1) the user interface for the FTC program, (2) example FTC sessions, and (3) the mathematical 
foundations of the solution technique used in version 2 of the program. In the appendix, the 
error messages generated by the program are explained. 

The FTC User Interface 

In this section the user interface to the FTC program is described. The interface consists of 
a tree-definition language and user commands. An overview of the interface is given followed 
by a detailed description of the tree-definition language and user commands. 

FTC Program Overview 

The user of the FTC program must define his fault tree with a simple language. There are 
two basic statements in the tree-definition language — the basic event definition statement and 
the gate definition statement. The basic event definition statement defines a fundamental event 
and associates a probability with this event. For example, the statement 

X: 0.002; 

defines a fundamental event which occurs with probability 0.002. The gate definition statement 
defines a gate of the fault tree by specifying the gate type and all its inputs. For example, the 
statement 

Gl: AND( Q12, V123, L12, E5) ; 

defines an “AND-gate” with output Gl and inputs Q12, V123, L12, and E5. The basic events 
and gate-output identifiers may consist of letters, numbers, and underscores (_) but must begin 
with a letter. The following gates are allowed: AND, OR, X0R (EXCLUSIVE OR), INV (INVERT 
gate), and m OF (m out-of-n gate). 

The input language is probably best explained by way of an example. A fault tree and the 
corresponding FTC input file are shown in figure 2. The first seven lines assign probabilities to 
the basic events El, E2, E3, E4, E5, and E6. These probabilities have been defined in terms of a 
parameter P. This has been done to illustrate the expression syntax of the input language. The 
next four lines define four gates by specifying the inputs to a gate as arguments. For example, 
the first of these four define an “AND gate” whose inputs are the basic events El and E2. The 
output of this gate is then given the name Gl. Other gates can be defined using basic events 
or previously defined gates. The top gate of the model is always named TOP. When the RUN 
command is issued to the FTC program, the probability of TOP is calculated. 

The program also provides a capability for parameter sensitivity studies. For example, 
suppose one wishes to determine the impact of varying the value of P in the model above. The 
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P = 0.01; 

El: 0.1'P; 

E2: 0.2‘P; 

E3: 0.1 *P; 

E4: 0.05*P; 

E5: 0.02'P; 

E6: 0.9*(1-P) ; 

G1: AND(E1,E2) ; 

G2: AND(E3,E1) ; 

G3: AND(E4,E5,E6) ; 
IG3: INV(G3) ; 

TOP: 0R(G1,G2,IG3) ; 


Figure 2. Fault tree and corresponding FTC input file. 

user first determines a range of values, say 0 . 1 to 0 . 6, and then alters the first line of the above 
model as follows: 

P = 0.1 TO 0.6; 

The program will automatically calculate the probability of the TOP event as a function of P. 

Finally, the program allows the user to specify his fault tree by using a hierarchical approach. 
This is done by defining subtrees whose top event probabilities can be used when defining other 
subtrees or the main tree. For example: 

SUBTREE TREE_1; 

XI: 0.1; X2: 0.2; X3: 0.1; 

TOP: AND(X1,X2,X3) ; 

SUBTREE TREE_2; 

Yl: 0.2; Y2: 0.007; Y3: 0.02; 

TOP: 0R(Y1,Y2,Y3) ; 

TREE MAIN; 

El: 0.1; 

E2: TREE_1 ; 

E3: TREE_2; 

E4: TREE_1*(1-TREE_2); 

E5: 2*TREE_1 + 0.3*TREE_2; 

Gl: AND(E4,E5) ; 

TOP: 0R(E1,E2,E3,G1); 

This input defines a hierarchical fault tree which consists of a main tree and two subtrees. 
Note that the main tree references the names of the subtrees in its basic-event definitions. The 
meaning of this is simple. The program first calculates the “TOP” probability of the subtrees. 
The probabilities of each of these TOP events are stored in the names of the subtrees. Thus, 
event E2 in the main tree has a probability of occurrence equal to the TOP event of the first 
subtree. 

Fault-Tree Definition Syntax 

The basic-event definition statement and the gate definition statement are the only essential 
ingredients of the FTC input language. However, the flexibility of the FTC program has 
been increased by adding several features commonly seen in programming languages such 
as FORTRAN or Pascal. The details of the FTC language are described in the following 
subsections. 
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Lexical Details 

The probabilities assigned to events or component failure rates are floating point numbers. 
The Pascal/FORTRAN real syntax is used for these numbers. Thus, all the following would 
be accepted by the FTC program: 

0.001 

12.34 

1.2E-4 

IE-5 

The semicolon is used for statement termination. Therefore, more than one statement may be 
entered on a line. Comments may be included any place that blanks are allowed. The notation 
“(*” indicates the beginning of a comment and “*)” indicates the termination of a comment. 
The following is an example of the use of a comment: 

GYR0_F : 0.025; (* PROBABILITY OF A GYRO FAILURE *) 

If statements are entered from a terminal (as opposed to using the READ command described 
subsequently), then the carriage return is interpreted as a semicolon. Thus, interactive 
statements do not have to be terminated by an explicit semicolon unless more than one 
statement is entered on the line. 

In interactive mode, the FTC system will prompt the user for input by a line number 
followed by a question mark. For example, 

1? 

The number is a count of the current line plus the number of syntactically correct lines entered 
into the system thus far. 

Constant Definitions 

The user may equate numbers to identifiers. Thereafter, these constant identifiers may be 
used instead of the numbers. For example, 

LAMBDA * 0.0052; 

RECOVER = 0.005; 

Constants may also be defined in terms of previously defined constants: 

GAMMA = 10*LAMBDA ; 

In general, the syntax is 
<name> = <expression>; 

where <name> is a string of up to eight letters, digits, and underscores (_) beginning with a 
letter, and <expression> is an arbitrary mathematical expression as described in a subsequent 
section entitled “Expressions.” 

Variable Definition 

In order to facilitate parametric analyses, a single variable may be defined. A range of values 
is given for this variable. The FTC system will compute the probability of the top event as a 
function of this variable. If the system is run in graphics mode (to be described later), then a 
plot of this function can be made. The following statement defines LAMBDA as a variable with 
range 0.001 to 0.009: 

LAMBDA = 0.001 TO 0.009; 

Only one such variable may be defined. A special constant, POINTS, defines the number of 
points over this range to be computed. This constant can be defined any time before the RUN 
command. For example, 

POINTS = 25; 
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specifies that 25 values over the range of the variable should be computed. The method used 
to vary the variable over this range can be either geometric or arithmetic and is best explained 
by an example. Suppose POINTS = 4, then 

Geometric: 

XV = 1 TO* 1000; 

yields XV values of 1, 10, 100, and 1000. 

Arithmetic: 

XV = 1 T0+ 1000; 

yields XV values of 1, 333, 667, and 1000. The * following the TO implies a geometric range. A 
T0+ or simply TO implies an arithmetic range. 

One additional option is available — the BY option. Adding the phrase BY <inc> to this 
syntax causes the program to start with the specified first value and determine the subsequent 
values of the variable by adding <inc> (if arithmetic) or multiplying by <inc> (if geometric). 
In this case, the value of POINTS is automatically calculated by the program. For example, 

V = IE-6 TO* IE-2 BY 10; 

sets POINTS equal to 5 and the values of V to IE-6, IE-5, IE-4, IE-3, and IE-2. The statement 
Q = 3 T0+ 5 BY 1; 

sets POINTS equal to 3, and the values of Q to 3, 4, and 5. 

In general, the syntax is 

<var> = <expression> TO {<c>} <expression> {BY <inc>} 

where <var> is a string of up to eight letters and digits beginning with a letter, <expression> 
is an arbitrary mathematical expression as described in the next section, and the optional <c> 
is a + or *. The BY clause is optional; if it is used, then <inc> is any arbitrary expression. 

Expressions 

When defining constants or an event probability, arbitrary functions of the constants and 
the variable may be used. The following operators may be used: 

+ addition 
subtraction 
* multiplication 
/ division 
** exponentiation 


The following standard functions may be used: 


EXP(X) 

exponential function 

LN(X) 

natural logarithm 

SIN(X) 

sine function 

C0S(X) 

cosine function 

ARCSIN(X) 

arc sine function 

ARCCOS(X) 

arc cosine function 

ARCTAN(X) 

arc tangent function 

SQRT(X) 

square root 

Both ( ) and [ 
expressions: 

] may be used for grouping in the expressions. The following are permissible 


2E-4 

1 - [EXP ( -LAMBDA*TIME) ] 
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Basic Event Definition 

The fundamental events of the fault tree (i.e., events which are not the outputs of a gate 
in the tree) must be assigned probabilities. This is accomplished by using the basic-event 
definition statement. This statement has the following syntax: 

<event-id> : <expression> ; 

where <event-id> is the name of the event and <expression> is an expression defining the 
probability of the event which must evaluate to a number between 0 and 1. Alternately, the 
user can specify the rate of an event. Rates are specified by using the following syntax: 

<event-id> -> <rate-expression> ; 

where <event-id> is the name of the event and <rate-expression> is an expression defining the 
rate of the event. The probability of the event is calculated by the program with the following 
formula: 

Prob[event] = 1.0 - exp(-<rate-expression>*TIME) 

where TIME is the value of the special constant TIME which defines the mission time. If TIME is 
not defined by the user, then the program uses 10 for the mission time. Note that this formula 
represents the standard exponential distribution function, 

F(t) = 1 - e~ M ( t > 0) 


(Note that the solution algorithm only manipulates probabilities. The rates and times are only 
used by the input language processor to derive an event probability. The solution algorithm is 
combinatorial and does not deal with the rates directly.) 

Gate Definition 


Once all the fundamental events are defined, the gate definition statement may be used to 
define the structure of the fault tree. The syntax of this statement is 


<output-id> : < 


OR ^ 
INV 
XOR 
l AND ) 


> ( <input>, <input>, ...) ; 


or 


<output-id> : <int> OF (<input>, <input>, ...); 


The <output-id> is the name of the (nonbasic) event which is the output of the gate and <int> 
is a positive integer which is less than or equal to the number of arguments. The type of gate 
is indicated by the reserved words OR, AND, INV, XOR, or OF as follows: 


AND output probability is probability of all events occurring 

OR output probability is probability of one or more events occurring 

XOR output probability is probability of one of events, but not both, occurring (i.e., 

EXCLUSIVE OR gate) 

INV output probability is probabilistic complement of input (i.e., INVERT gate) 

m OF output probability is probability of m or more events occurring (i.e., m OF n gate) 


Any number of input events may be included within the parentheses for the AND, OR, and 
m OF gates. The XOR gate takes two arguments and the INV gate takes one. The following gate 
definition statements are valid: 
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Gl: AND (X , Y, Z) ; 

G2: 0R(A1 , A2, A3); 

G3: 2 OF (Al, A2, A3, A4) ; 



CAT.DIES: 9 OF (HIT_BY_CAR, ATTACKED.BY.DOG , STARVED_TO_DEATH , 
DROPPED_400_FEET , FLAMBEED, CAUGHT. IN_FAN_BELT, 
DROWNED.IN.TOILET , SUFFOCATED, EXCESS I VE.DIARRHEA, 
LOST.IN.DESERT , FED.ANTIFREEZE , MICROWAVED, 
STEPPED.ON ); 

Hierarchical Fault Trees 


Often a system consists of several identical independent subsystems. In order to preserve 
the independence, it is necessary to replicate the subsystem fault tree in the system model. For 
example, suppose we have a system which contains four identical independent subsystems. The 
system fails when three of the subsystems fail. Each subsystem consists of four components. If 
any component fails, the subsystem fails. The following fault tree describes the subsystem: 


COMP.l: 

.01 

C0MP.2 : 

.02 

C0MP.3 : 

.03 

C0MP.4 : 

.05 


SUBSYSTEM.FAILS : 0R(C0MP_1, C0MP.2, C0MP.3, C0MP.4) ; 


The system fault tree is as follows: 


SYSTEM.FAILS: 3 OF (SUBSYS.l.FAILS, SUBSYS.2.FAILS , SUBSYS.3.FAILS , 

SUBSYS.4.FAILS) ; 

To integrate these sections into one fault tree, the subsystem must be replicated four times 
using different event names in each replicate: 


SUBSYS. 1 .COMP.l 

.01; 

SUBSYS. 1.C0MP.2 

.02; 

SUBSYS. 1.C0MP.3 

.03; 

SUBSYS_1_C0MP_4 

.05; 

SUBSYS.l.FAILS: 

0R( SUBSYS. l.COMP.l 


SUBSYS_1_C0MP_3 , 


SUBSYS_2_C0MP_ 1 

.01; 

SUBSYS_2_C0MP_2 

.02; 

SUBSYS.2.C0MP.3 

.03; 

SUBSYS_2_C0MP_4 

.05; 

SUBSYS.2.FAILS : 

0R( SUBSYS.2.C0MP.1 


SUBSYS_2_C0MP_3 , 


SUBSYS.3.C0MP. 1 

.01; 

SUBSYS.3.C0MP.2 

.02; 

SUBSYS.3.C0MP.3 

.03; 

SUBSYS.3.C0MP.4 

.05; 

SUBSYS.3.FAILS : 

0R( SUBSYS.3.C0MP. 1 


SUBSYS.3.C0MP.3 


SUBSYS. 1.C0MP.2 , 
SUBSYS_1_C0MP_4 ); 


SUBSYS_2_C0MP_2 , 
SUBSYS_2_C0MP_4 ); 


SUBSYS_3_C0MP_2 , 
SUBSYS_3_C0MP_4 ); 


SUBSYS. 4. COMP.l 

.01; 

SUBSYS.4.C0MP.2 

.02; 

SUBSYS.4.C0MP.3 

.03; 

SUBSYS.4.C0MP.4 

.05; 

SUBSYS.4.FAILS: 

0R( SUBSYS.4.C0MP. 1 
SUBSYS.4.C0MP.3 


SUBSYS_4_C0MP_2 , 
SUBSYS.4.C0MP.4 ); 


SYSTEM.FAILS: 3 OF (SUBSYS.l.FAILS, SUBSYS.2.FAILS , SUBSYS.3.FAILS , 

SUBSYS.4.FAILS) ; 
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Obviously, this is a tedious process. Therefore, the FTC program provides the user with a 
hierarchical fault-tree capability. The following model is semantically equivalent to the previous 
fault tree: 

SUBTREE SUBSYSTEM.FAILS; 

COMP.l: .01; 

C0MP.2: .02; 

C0MP_3: .03; 

C0MP_4: .05; 

TOP: 0R(C0MP_ 1 , C0MP_2 , C0MP_3 , C0MP_4) ; 

TREE SYSTEM.FAILS; 

SUBSYS.l.FAILS: SUBSYSTEM.FAILS; 

SUBSYS.2.FAILS : SUBSYSTEM.FAILS; 

SUBSYS.3.FAILS : SUBSYSTEM.FAILS; 

SUBSYS.4.FAILS : SUBSYSTEM.FAILS; 

TOP: 3 OF (SUBSYS.l.FAILS , SUBSYS.2.FAILS , SUBSYS.3.FAILS , 

SUBSYS.4.FAILS) ; 

The model is defined in two sections. The first section defines a subtree which is named 
SUBSYSTEM.FAILS. This subtree is solved by the program and the probability of its top event 
is saved in the identifier SUBSYSTEM.FAILS. In subsequent trees or subtrees this identifier can 
be used. In this model, four events in the main tree are given the probability of the subsystem, 
that is, SUBSYSTEM.FAILS. 

To simplify the analysis of the effect of a system parameter on the probability of the top 
event, global variables and constants may be used. These must be defined before any subtrees 
are defined. Global events cannot be defined. 

The effect of the change in the failure probability of a component in the previous model 
could be investigated by using the following model: 

FP = .01 TO .05 BY .01; 

SUBTREE SUBSYSTEM.FAILS; 

COMP.l: FP; 

C0MP.2 : .02; C0MP.3: .03; C0MP.4: .05; 

TOP: OR (C0MP1. , C0MP.2 , C0MP.3 , C0MP.4) ; 

TREE SYSTEM.FAILS : 

SUBSYS.l.FAILS: SUBSYSTEM.FAILS; SUBSYS.2.FAILS : SUBSYSTEM.FAILS; 
SUBSYS.3.FAILS : SUBSYSTEM.FAILS; SUBSYS.4.FAILS : SUBSYSTEM.FAILS; 

TOP: 3 OF (SUBSYS.l.FAILS, SUBSYS.2.FAILS , SUBSYS.3.FAILS , 

SUBSYS.4.FAILS) ; 


FTC Commands 

The FTC program is controlled by interactively entered commands. These commands can 
be used to read in model-description files, set various options, initiate the computation, plot 
results, etc. These commands will be described in detail in this section. 

There are two types of commands in FTC. The first type of command is initiated by one of 
the following reserved words: 

EXIT INPUT PLOT READ RUN SHOW 
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The second type of command is invoked by setting one of the special constants 
ACCURACY CARE3 ECHO LIST POINTS TIME 
equal to one of its predefined values. 

EXIT 

The EXIT command causes termination of the FTC program. 

INPUT 

The INPUT command increases the flexibility of the READ command. Within the model 
description file created with a text editor, INPUT commands can be inserted that will prompt 
for values of specified constants while the model file is being processed by the READ command. 
For example, the command 

INPUT LVAL; 

will prompt the user for a number as follows: 

LVAL? 

This creates a new constant LVAL which is equal to the value input by the user. Several 
constants can be interactively defined with one statement, for example, 

INPUT X, Y, Z; 

PLOT 

The PLOT command can be used to plot the output on a graphics display device. This 
command is described in detail in the next section, “FTC Graphics.” This command is only 
available at installations which have the graphics library TEMPLATE. 

READ 

A sequence of FTC statements may be read from a disk file using the READ command. The 
following command reads FTC statements from a disk file named SIFT.TRE: 

READ SIFT.TRE; 

If no file name extension is given, the default extent .TRE is assumed. A user can build a model 
description file with a text editor and use this command to read the file into the FTC program. 

RUN 

After a fault tree has been input to the FTC program, the RUN command is used to initiate 
the computation: 

RUN; 

The output is displayed on the terminal according to the LIST option (described later). If the 
user wants the output written to a disk file instead, the following syntax is used: 

RUN <outname>; 

where the output file <outname> may be any permissible VAX VMS file name. Two positional 
parameters are available on the RUN command. These parameters enable the user to change 
the value of the special constants POINTS and LIST in the RUN command. For example, 

RUN (30,2) 0UTFILE.DAT; 

is equivalent to the following sequence of commands: 

POINTS = 30; 

LIST = 2; 

RUN 0UTFILE.DAT 

Each parameter is optional so the following are acceptable: 
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RUN (10) ; change POINTS to 10 then run. 

RUN ( , 0) ; change LIST to 0 and run. 

RUN (20 , 1) ; change POINTS to 20 and LIST to 1 then run. 

After the RUN command has completed, the fault tree and all symbol definitions are deleted. 
However, the results of the run are stored and available for plotting via the PLOT command. 

SHOW 

The value of the identifier < id > is displayed by the following command: 

SHOW <id>; 

This function cannot be used to obtain values for gate identifiers or identifiers which depend 
upon the variable. 

ACCURACY 

With the ACCURACY command, the user specifies the number of digits of accuracy he desires 
in the final answer. A significant decrease in execution time can be obtained if only a few digits 
accuracy is necessary. The default value is 6. This parameter is used by the program to reduce 
the number of vectors which must be searched. Also the program calculates an accumulated 
rounding error due to the imprecision of floating point arithmetic. If this error is large enough 
to influence the specified accuracy, the following warning message is given: 

ROUNDOFF ERROR => ONLY x DIGITS ACCURACY 

CARES 

If set equal to 1, the program will generate a file containing the fault tree in the CARE III 
syntax. (See ref. 2.) The default value of 0 specifies that no CARE III file be written. The 
name of the generated file is CARE3 . TRE. The first line of a CARE III input file must contain 
four numbers which give the first and last input event numbers and the first and last output 
event numbers. Note that the input range is completely specified, but that the upper value on 
the output range is specified by X. The user must edit the file, supplying the appropriate upper 
value for the output range and inserting the tree into an otherwise complete CARE III input 
file. 


ECHO 

The ECHO constant can be used to turn off the echo when reading a disk file. The default 
value of ECHO is 1, which causes the model description to be listed as it is read. (See example 4 
in the section “Example FTC Sessions.”) 

LIST 

The amount of information output by the program is controlled by the LIST command. 
Three list modes are available as follows: 

LIST = 0; No output is sent to terminal, but results can still be displayed using PLOT 
command. 

LIST = 1 ; Output is sent to terminal; this is the default. 

LIST = 2; Output sent to terminal contains more detailed information, e.g., number of 
vectors processed. See example 6. 

POINTS 

The POINTS constant specifies the number of points to be calculated over the range of the 
variable. The default value is 25. If no variable is defined, then this specification is ignored. 

TIME 

The TIME constant specifies the mission time when rates are used for events. The TIME 
constant has meaning only when the model includes failure rates, which depend upon time. 
For example, if the user sets TIME = 1.3, the program computes the probability of the top event 
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i at mission time equal to 1.3. The default value of TIME is 10. If the default value of TIME is 

j not to be used, TIME must be defined before any events are defined. (The program does not 

assume any particular units of time. The program assumes that the units used for TIME are 
j the same as those used for the event rates.) 

j FTC Graphics 

Although the FTC program is easily used without graphics output, many users desire the 
• increased user friendliness of the tool when assisted by graphics. The graphics output module 

is written in FORTRAN but uses the graphics library TEMPLATE (available at the Langley 
i Research Center). Thus, the FTC graphics capabilities will only be available at installations 

which have this library. Alternatively, this module can be rewritten by using another graphics 
library. 

► The FTC program can plot the probability of system failure as a function of any model 

parameter. The output from several FTC runs can be displayed together in the form of contour 
plots. Thus, the effect on system reliability of two model parameters can be illustrated on one 
plot. 

PLOT Command 

After a RUN command, the PLOT command can be used to plot the output on the graphics 
display. The syntax is 

PLOT <op>, <op>, ... <op> 

where <op> are plot options. Any TEMPLATE “USET” or “UPSET” parameter can be used, 
but the following are the most useful: 

1 XLOG plot X-axis using logarithmic scale 

i YLOG plot y-axis using logarithmic scale 

■ XYLOG plot both X- and y-axes using logarithmic scales 

! NOLO plot X- and y-axes with linear scaling 

i 

; XLEN=5 . 0 set X-axis length to 5.0 in. 

YLEN=8 . 0 set y-axis length to 8.0 in. 

1 XMIN=2.0 set X-origin 2 in. from left side of screen 

' YMIN=2.0 set y-origin 2 in. above bottom of screen 

PLOTINIT and PLOT+ Commands 

\ 

The PLOTINIT and PL0T+ commands are used together to display multiple runs on one plot. 
A single run of FTC generates unreliability as a function of a single variable. To see the effect 
of a second variable (i.e., display contours of a three-dimensional surface) the PL0T+ command 
is used. The PLOTINIT command should be called before performing the first FTC run. This 
command defines the second variable (i.e., the contour variable): 

PLOTINIT BETA; 

This defines BETA as the second independent variable. Next, the user must set BETA to its first 
value. After the run is complete, the output is plotted by using the PL0T+ command. The 
parameters of this command are identical to the PLOT command. The only difference is that 
the data values are saved and can be displayed in conjunction with subsequent run data values. 

, Next, BETA must be set to a second value, another FTC run made, and PL0T+ must be called 

again. This time both outputs will be displayed together. Up to 10 such runs can be displayed 
together. 

Example FTC Sessions 

Outline of a Typical Session 

The FTC program was designed for interactive use. The following method of use is 
recommended: 
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1. Using a text editor, create a file of FTC commands describing the fault tree to be analyzed. 

2. Start the FTC program and use the READ command to retrieve the model information from 
this file. 

3. Then, various commands may be used to change the values of the special constants, such 
as LIST, POINTS, as desired. Altering the value of a constant identifier does not affect any 
transitions entered previously even though they were defined with a different value for the 
constant. The range of the variable may be changed after transitions are entered. 

4. Enter the RUN command to initiate the computation. 

5. Issue PLOT command to plot the results. 

Examples 

The following examples illustrate interactive FTC sessions. For clarity, all user inputs are 
given in lowercase letters. 

Example 1. This session illustrates direct interactive input and the type of error messages 
given by FTC: 

$ ftc 

FTC V2.4 NASA Langley Research Center 
1? 

2? time = 10.0; 

3? lambda = le-4; 

4? 

5? X: 1.0 - exp( -lambda*time ) ; 

6? Y: 1.0 - exp( -lamda*time) ; 

' IDENTIFIER NOT DEFINED 
6? Y: 1.0 - exp( -lambda*time) ; 

7? top: or(X,Y); 

8 ? 

Pr[TOP EVENT] 

1.99800E-03 

*** WARNING: SYNTAX ERRORS PRESENT BEFORE RUN 
3 OUT OF THE 4 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 1 
0.420 SECS. CPU TIME UTILIZED 

9? exit 

The warning message is simply informative. If a user receives this message, he should check 
his input file to make sure that the model description is correct. In this example, since the 
syntax error was corrected in the next line, the model was correct. A complete list of program- 
generated error messages is given in the appendix. The message "3 OUT OF THE 4 VECTORS 
ANALYZED CAUSED TOP EVENT" informs the user of the amount of processing performed by the 
program. The message "SMALLEST ..." indicates the least number of concurrent basic events 
which caused the TOP event. 

Example 2. This example illustrates the recommended method of using FTC — creating a 
file with a text editor and issuing a READ command. Prior to initiating the FTC program, the 
text file SIMP.TRE was created by using an editor. The contents of this file are echoed as it is 
read in by the program: 

$ ftc 

FTC V2.4 NASA Langley Research Center 
1? read SIMP.TRE 
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2. EVNTl: 0.001; 

3. EVNT2: 0.002; 

4. EVNT3: 0.003; 

5. EVNT4: 0.0004; 

6. EVNT5: 0.0005; 

7. EVNT6: 0.0006; 

8. TOP: 2 OF ( EVNTl , EVNT2 , EVNT3 , EVNT4 , EVNT5 , EVNT6 ) ; 

9? accuracy = 2; 

10? run 

MODEL FILE = SIMP.TRE FTC V2.4 14-OCT-1988 09:00:20 


Pr[TOP EVENT] ERRORS/WARNINGS 


2.06649E-05 

16 OUT OF THE 24 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 2 
0.590 SECS. CPU TIME UTILIZED 

11? exit 


The statement ACCURACY = 2 instructed the program to compute an answer with 2 digits 
accuracy. Consequently, the program only analyzed 24 out of the 64 possible vectors (i.e., six 
events implies 2 6 vectors). The exact answer is 2.06859E-05, which illustrates that the program 
produced an answer with more accuracy than 2 digits. The pruning algorithm used by FTC 
is conservative; consequently, the program often produces results with more accuracy than 
requested. For details on the pruning algorithm used by FTC, see the section “Mathematical 
Foundations of the FTC Program.” 

Example 3. This example demonstrates the use of the hierarchical fault-tree capability to 
partially describe an aircraft pitch control architecture. The proposed architecture is composed 
of four independent actuator subsystems and the supporting hydraulic and electronic systems. 
Each actuator subsystem is comprised of a pitch rate sensor, a computer, and the actuator. 
Two of the four actuator subsystems failing will result in loss of pitch control. Likewise, loss 
of either the hydraulic or electronic system will cause loss of pitch control. 

$ ftc 

FTC V2.4 NASA Langley Research Center 


1? read ex3.mod 


2. SUBTREE ACT_SYS_FAIL; 

3. 

4. PITCH_RATE_SENSOR -> 1.8E-05 

5. COMPUTER -> 4.4E-04 

6. ACTUATOR -> 3.7E-05 

7. 

8. TOP: 

9. 

10. TREE LOSS_OF_PITCH_CONTROL ; 

11 . 

12 . HYDRAUL I C_FAI LURE : 1 . 3E-06 ; 

13. ELECTRON I CS_FAI LURE : 5.0E-04; 

14. ACT_SYS1_FAILS: ACT_SYS_FAILS; 

15. ACT_SYS2_FAILS: ACT_SYS_FAILS; 

16. ACT_SYS3_FAILS : ACT_SYS_FAILS; 

17. ACTSYS4FAILS: ACT_SYS_FAILS ; 

18. 


HYDRAULIC SYSTEM FAILURE RATE *) 
AIRCRAFT ELECTRONICS FAILURE *) 

(* THE ACTUATOR SYSTEM IS *) 

(* COMPOSED OF FOUR INDE- *) 

(* PENDENT SUBSYSTEMS. *) 


OR( PITCH RATE SENSOR, COMPUTER, ACTUATOR); 


(* 

(* 
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19. GATEl: 2 OF (ACT_SYSl_FAILS,ACT_SYS2_FAILS,ACT_SYS3_FAILS,ACT_SYS4_FAILS) ; 

20. TOP: OR (GATEl , HYDRAULICJAILURE, ELECTRONICS_FAILURE) ; 

21 . 

22? run 

MODEL FILE = EX3.TRE FTC V2.4 14-OCT-1988 09:00:25 


Pr [ ACT_SYS_ ] ERRORS/WAFNINGS 


4.93777E-03 

7 OUT OF THE 8 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 1 


Pr{TOP EVENT] ERRORS/WARNINGS 


6 . 46555E-04 


43 OUT OF THE 48 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 1 
1.340 SECS. CPU TIME UTILIZED 


23? exit 


Example 4 ■ This example illustrates the use of the FTC program to process the fault tree 
used in the Integrated Airframe Propulsion Control System Architecture (IAPSA II) project 
to analyze surface control failures. (See ref. 4.) 

The surface control system has three separate actuation channels, each consisting of an 
actuation stage and a disengage device stage. The actuation channels are brickwalled with 
force-sum voting at the control surface. Channel self-monitoring techniques are the primary 
method of fault detection and isolation. Each actuation channel contains two special devices 
for fault tolerance. The disengage device can deactivate a faulty channel. The surface can 
be controlled by one channel if the other two channels have been deactivated. Additionally, 
an override device in each channel allows two good channels to overpower a channel with a 
failed disengage device. Thus, surface failure (top event) can occur in two ways: (1) loss of all 
three actuation channels and (2) loss of two channels when one of the lost channels has a failed 
disengage device. The following tree describes these aspects of the system failure process: 


TREE SURFACE_FAI LURE ; 


CHI: CH_FAULT ; (* 
CH2: CH_FAULT; (* 
CH3: CH_FAULT; (* 

DDl -> 6.0E-6; (* 
DD2 -> 6.0E-6; (* 
DD3 -> 6.0E-6; (* 


LOSS_OF_ALL_CHANNELS: AND( CHI, CH2 , 

SFlA: AND(CHl, DDl); 

SFlB: OR(CH2, CH3); 

CHANNELl_UNI SOLATED : AND( SFlA, SFlB) 

SF2A: AND(CH2, DD2) ; 

SF2B: OR( CHI , CH3) ; 

CHANNEL2_UNI SOLATED: AND( SF2A, SF2B) 


Channel 1 failure *) 

Channel 2 failure *) 

Channel 3 failure *) 

Channel 1 disengage device failure *) 
Channel 2 disengage device failure *) 
Channel 3 disengage device failure *) 

CH3); 
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SF3A: AND(CH3, DD3 ) ; 

SF3B: OR(CHl, CH2 ) ; 

CHANNEL3_UNI SOLATED : AND( SF3A, SF3B) ; 

TOP: OR (LOSS_OF_ALL_CHANNELS, CHANNELlJJNI SOLATED, 

CHANNEL2_UNI SOLATED , CHANNEL3JJNI SOLATED ) ; 

Next, the failures leading to an actuation channel breakdown must be enumerated in a subtree. 
An actuation channel failure can occur because of the loss of the intersystem (I/S) bus, lack of 
two surface commands, or a fault in the actuation channel elements — the I/S bus terminal, the 
elevator processor, and the electrical and mechanical actuation hardware. Surface commands 
can be lost due to command generation faults or computer bus terminal faults. The following 
subtree describes actuation channel failure: 

SUBTREE CH_FAULT ; 

Cl_COMMAND: COMMAND_FAI LURE ; 

C2_C0MMAND: COMMAND_FAI LURE ; 

C3_COMMAND: COMMAND_FAI LURE ; 

C4_COMMAND: COMMAND_FAI LURE ; 

Cll -> IE-6; 

C21 -> IE-6; 

C31 -> IE-6; 

C41 -> IE-6; 

ACTl -> 90E-6; 

Bl -> 20E-6; 

ACl: 0R( C1_C0MMAND, Cll); 

AC2: OR ( C2_C0MMAND , C21); 

AC3: OR( C3_COMMAND, C31); 

AC4: OR(C4_COMMAND, C41); 

LOSE_TWO_COMMANDS : 3 OF (ACl, AC2, AC3, AC4 ) ; 

TOP: OR (ACTl, Bl, LOSE TWO COMMANDS); 


(* Loss of command 1 *) 
(* Loss of command 2 *) 
(* Loss of command 3 *) 
(* Loss of command 4 *) 


(* computer 1 bus terminal fault *) 

(* computer 2 bus terminal fault *) 

(* compute r 3 bus terminal fault *) 

(* computer 4 bus terminal fault *) 

(* fault in actuation channel elements *) 
(* failure in I/S bus *) 


A command generation fault can occur due to lack of pilot control sensors (PCS) data, lack 
of inertial reference air data computer (IRADC) data, or computer failure. The loss of data 
can be due to data source failure, I/S bus failure, or computer bus terminal failure: 

SUBTREE COMMAND FAILURE; 


PCS1 -> 11.0E-6; 

(* 

Bl -> 20E-6; 

(* 

Cll -> IE-6; 

(* 

IRADCl -> 122.5E-6; 

(* 

PCS2 -> 11.0E-6; 

(* 

B2 -> 20E-6; 

<* 

C12 -> IE-6; 

(* 

IRADC2 -> 122.5E-6; 

(* 

PCS 3 -> 11.0E-6; 

(* 

B3 -> 20E-6; 

(* 

Cl 3 -> IE-6; 

(* 

IRADC3 -> 122.5E-6; 

(* 

CLC1 -> 100.0E-6; 

(* 


loss of channel 1 PCS data *) 
failure in channel 1 I/S bus *) 
bus terminal to channel 1 fault * ) 
loss of channel 1 IRADC data *) 

loss of channel 2 PCS data *) 
failure in channel 2 I/S bus *) 
bus terminal to channel 2 fault *) 
loss of channel 2 IRADC data *) 

loss of channel 3 PCS data *) 
failure in channel 3 I/S bus *) 
bus terminal to channel 3 fault *) 
loss of channel 3 IRADC data *) 

computer failure rate *) 
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LPDl: 0R(PCS1, 
LPD2: 0R(PCS2, 
LPD3: 0R(PCS3, 
PCS DATA LOSS: 


Bl, Cll); 

B2, C12) ; 

B3, C13) ; 

AND( LPDl , LPD2, 


LPD3 ) ; 


LIDl: OR( IRADCl , Bl, Cll); 

LID2: OR(IRADC2, B2, C12); 

LID3: OR( IRADC3, B3, C13); 

IRADC DATA LOSS: AND (LIDl , LID2, LID3); 


TOP: OR( PCS_DATA_LOSS , IRADC_DATA_LOSS , CLCl); 


To simplify the discussion, the TREE section was presented first. In an input file to the FTC 
program, all subtrees must be placed before the TREE section. The above model was available 
in file IAPSA . TRE prior to the following interactive session: 

$ ftc 

FTC V2.4 NASA Langley Research Center 


1? echo = 0 
2? read iapsa 

87? run 

MODEL FILE = IAPSA. TRE FTC V2.4 14-OCT-1988 09:00:31 

Pr { COMMAND_ ] ERRORS/WARNINGS 

9.99503E-04 

51 OUT OF THE 181 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 1 


Pr [ CH_FAULT ] ERRORS/WARNINGS 


1.09940E-03 

40 OUT OF THE 77 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 1 


Pr [TOP EVENT] ERRORS/WARNINGS 


1.76344E-09 

20 OUT OF THE 58 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 3 
3.270 SECS. CPU TIME UTILIZED 
88 ? 
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Example 5. This example illustrates the use of the program to investigate the sensitivity of 
a fault tree to a parameter. 

FTC V2.4 NASA Langley Research Center 
1? read ex5 

2. V = 0 TO 1 BY .1; 

3. Gil: V; 

4. G12: V/2; 

5. G13: SQRT(V) ; 

6. G14: 1 - V; 

7. G15: 1 - V/2; 

8. G16: 1 - SQRT(V); 

9. G17 : V*(l-V) ; 

10. G18: (1-V)*(1-V*V)*(1— V**3); 

11 . 

12. A21: AND(G11,G12,G13); 

13. A22: OR(G12,G13) ; 

14. A23: XOR(G13,G14) ; 

15. A24: 30F(G15,G16,G17,G18) ; 

16. A25: AND(G16,G17) ; 

17. 

18. B31: OR(A21,A25); 

19. B32: INV(A22); 

20. B33: OR(A24,A22); 

21 . 

22. C41 : AND(B31,A23) ; 

23. C42: AND(B33,B32,A22) ; 

24. 

25. TOP: 20F(C41,C42,A25,A23) ; 

26. 

27? run 

MODEL FILE = EX5.TRE FTC V2.4 14-OCT-1988 09:00:34 


V Pr[TOP EVENT) ERRORS/WARNINGS 


0.00000E+00 0.00000E+00 .. WARNING: EVENT PROB. = 0 or 1 

1.00000E-01 3.99655E-02 

2 . 00000E-01 4.86548E-02 

3.00000E-01 5.23680E-02 

4.00000E-01 6.02219E-02 

5.00000E-01 7.75698E-02 

6.00000E-01 1.09150E-01 

7.00000E-01 1.60335E-01 

8.00000E-01 2.37549E-01 

9.00000E-01 3.48165E-01 

1.00000E+00 5.00000E-01 .. WARNING: EVENT PROB. = 0 or 1 

12 OUT OF THE 141 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT = 3 
7.810 SECS. CPU TIME UTILIZED 

28? plot 

29? disp copy (* See Figure 3 *) 
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The warning messages alert the user that some of the events in the model occur with 
probability 0 and/or 1. The FTC program gives correct answers for such models; however, 
sometimes this is indicative of a user error. 



Example 6. This example illustrates the use of the program to investigate the effect of 
variations in mission time on the probability of system failure. The model is run twice, once 
with LIST = 1 and once with LIST = 2, to illustrate the LIST options. 

FTC V2.4 NASA Langley Research Center 
1? read EX6 

2. TIME = 0.1 TO* 1000 BY 10; 

3. 

4. El -> IE-4; 

5. E2 -> 2E-4; 

6. E3 -> 3E-4; 

7. E4 -> 4E-4; 

8. E5 -> 5E-4; 

9. E6 -> 6E-4; 

10 . 

11. Gl: AND(E1,E2); 

12. G2: AND(E3,E4) ; 

13. G3: AND(E5,E6); 

14. 

15. TOP: 0R(G1,G2,G3); 
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16? list*l; 
17? run 

MODEL FILE = 
TIME 

EX6.TRE 
Pr[TOP EVENT] 

FTC V2.4 14-OCT-1988 09:00:45 

ERRORS/WARNINGS 

1.00000E-01 

4.39979E-09 


1.00000E+00 

4.39790E-07 


1.00000E+01 

4.37902E-05 


1.00000E+02 

4.19197E-03 


1.00000E+03 

2.60782E-01 



37 OUT OF THE 64 VECTORS ANALYZED CAUSED TOP EVENT 
SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT - 2 
2.160 SECS. CPU TIME UTILIZED 


18? 

read EX6 

19. 

TIME = 0.1 TO* 1000 BY 10 

20. 



21. 

El 

-> lE-4 ; 

22. 

E2 

-> 2E-4; 

23. 

E3 

-> 3E-4; 

24. 

E4 

-> 4E-4; 

25. 

E5 

-> 5E-4; 

26. 

E6 

-> 6E-4; 

27. 



28. 

Gl: 

AND(El,E2) ; 

29. 

G2: 

AND(E3,E4) ; 

30. 

G3 : 

AND(E5,E6); 

31. 



32. 

TOP 

: 0R(G1,G2,G3); 

33? 

list*2; 

34? 

run 



MODEL FILE = EX6.TRE FTC V2.4 14-OCT-1988 09:00:49 


TIME 

Pr[TOP EVENT] 

FV 

NV ERRORS/WARNINGS 

1.00000E-01 

4 . 3997900519443E-09 

16 

43 

1.00000E+00 

4 . 3978987686773E-07 

16 

43 

1.00000E+01 

4 . 3790174680721E-05 

31 

58 

1.00000E+02 

4.1919723847700E-03 

37 

64 

1.00000E+03 

2.6078188495868E-01 

37 

64 

37 OUT OF THE 

64 VECTORS ANALYZED CAUSED 

TOP EVENT 


SMALLEST NUMBER OF EVENTS CAUSING TOP EVENT - 2 
2.160 SECS. CPU TIME UTILIZED 


The columns FV and NV report the number of vectors which caused system failure and the 
total number of vectors processed, respectively. 
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Mathematical Foundations of the FTC Program 

In this section, a new algorithm for solving fault trees is presented along with a proof that 
the algorithm produces an answer within a user-specified level of accuracy. Then, a more 
efficient form of the algorithm which is implemented in FTC is given and the proof is revised. 

Preliminaries 

The FTC solution technique relies upon three basic model assumptions: 

1. System components, or basic events, fail independently, 

2. Components are either failed or operational; an “in-between” state does not exist. 

3. The system is either failed or operational; no “in-between” state exists. 

In the following discussion, the fault tree is generalized to have n basic events and a probability 
of occurrence associated with each. Basic events will be referred to as components and a 
probability of failure will be attributed to each of the components in the system. We will 
assume that the components have been numbered in order of decreasing failure probability. 


Let E{ represent the event that the ith component fails 


Then E( occurs with the ith largest probability and P(Ej) > P(Ej) whenever i < j . Next, 
define an indicator variable e* (for 1 < i < n) as follows: 

_ f 0 if event i does not occur (i.e., component i does not fail) 

1 — \ 1 if event i occurs (i.e., component i fails) 

It is possible to enumerate all combinations of components failed and components opera- 
tional describing the different possible states of the system. Each system state can be repre- 
sented by an n dimensional “binary” vector v composed of l’s and 0’s, where 1 indicates that 
the component has failed and 0 indicates that the component has not failed: 

V = (ei e 2 e 3 ... e„) 

Then, we have by independence of the n basic events, 

P(v) = n (eiP(Ei) + [1 - P(Ei)} [1 - ei}) 

i = 1 

The event that all n components fail, for example, would be represented by the vector 


(111 ••• 1 ). 


A system composed of four basic events would generate the following binary vectors: 


1. (0 0 0 0) 
2 . (1 0 0 0 ) 

3. (0 10 0) 

4. (0 0 1 0) 


5. (0 0 0 1) 

6. (1 1 0 0) 

7. (10 1 0) 

8. (1 0 0 1) 


9. (0 110) 

10 . (0 10 1 ) 

11 . (0 0 11 ) 

12 . ( 1110 ) 


13. (110 1) 

14. (10 11) 

15. (0 111) 

16. (1111) 


For an n-component system there are 2 n possible binary vectors representing 2 n distinct system 
states. The j th system state is denoted by vj, and its associated probability by P{vj). Note 
that the jth binary vector can be written in terms of the variables e 1J , (e\j e 2 j ... e n j ) . and that 
the probability of the jth system state is 


P(vj) = II + [1 - P(Ei)} [1 ~ ey]) 

i=l 
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The sample space 5 is the set of all possible system states denoted by the 2” binary vectors. 
By definition, 

P(S) = 1. 

Because the components are either failed or not failed, the 2 n binary vectors exhaustively 
describe all possible system states. Therefore, 

P{v i + V 2 + ... + t>2 n ) = P(S) = 1. 

Clearly, the system can be in only one state at any given time, indicating that the system states 
are mutually exclusive. By definition, 

P(viVj) = 0 (for every i and j # i) 

and for the 2 n mutually exclusive system states, 

P(vx +V 2 + ... + V 2 n ) = P{v i) + P(v 2 ) + ... + P(v 2 »). 

To calculate the probability of system failure, the sample space S composed of 2 n system 
states is divided into two subsets, where one subset contains all the system failure states and 
the other subset contains all states where the system is operational. Because the system must 
be either failed or operational, these two subsets are clearly exhaustive and mutually exclusive. 
Furthermore the system states composing each of these two subsets are mutually exclusive, and 
the probability of either subset can be found by summing the appropriate individual system 
state probabilities. Therefore, the calculation of the total probability of system failure by 
simply summing the probabilities of the system configurations that represent system failure is 
exact. 

The Basic Approach 

The program reorders the basic events in the binary vector in order of decreasing probability. 
(A mapping from the new order to the user-defined names is maintained.) 

The program then generates binary vectors in an orderly fashion, starting with binary vector 

(0 0 0 ■•• 0 „). 

The following is the sequence generated for a four-event tree: 

(0 0 0 0 ) 

(1 0 0 0 ) 

(0 10 0 ) 

(0 0 10 ) 

(0 0 0 1 ) 

(110 0 ) 

(10 10 ) 

(10 0 1 ) 

(0 110 ) 

(0 10 1 ) 

(0 0 11 ) 

( 1110 ) 

(110 1 ) 

(10 11 ) 

(0 111 ) 

( 1111 ) 
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Vectors are checked through the user-defined system tree. For each binary vector found to 
represent a system- fail configuration, its probability is added to a running total of binary vector 
probabilities, where all vector probabilities in the sum represent system-fail configurations. As 
shown above, the total number of binary vectors to be checked through the system tree is 2 n . 
For systems with many components, the number of fault vectors to check through the system 
tree can be very large. A simple and effective pruning technique has been developed to reduce 
the total number of fault vectors checked through the system tree. The pruning technique will 
not affect the FTC program answer; it will reduce run time and improve efficiency. 

The FTC program uses two types of pruning. The first type of pruning is based on the 
concept that the probability of occurrence of a vector with a large number of l’s is typically 
much less than the probability of occurrence of a vector with just a few number of l’s. The 
first type of pruning is more easily explained by letting $(u) = Number of l’s in vector v. The 
program determines a level 7 such that all vectors v with ^(u) > 7 contribute a negligible 
amount to the final answer. The program continues processing vectors until the first vector 
v with 4>(u) > 7 is encountered. Since vectors are processed in increasing order of #(u), 
only the negligible vectors are not processed. The second type of pruning skips all vectors 
with probabilities less than a computed threshold. The error bounding theorems presented 
subsequently demonstrate that both pruning methods together are conservative with respect 
to a user-specified level of accuracy. 

Notation 


Ei 


ei 


Pi 

(ei e2 63 ... e n ) 

V k 


P{V k ) 

*(v) 

N f 

N a 

S f 

d 


event that ith component fails 
= 1 if event Ei occurs, otherwise 0 
probability event Ei occurs (i.e., P(ej = 1)) 
system state vector 

vector with k l’s followed by n — k 0’s: ( 1 1 1^... 1 1 0 0 ... 0) 

k 

probability that vector V k occurs 
number of l’s in vector 

number of vectors which caused system failure thus far 
total number of vectors which have been analyzed thus far 
current estimate of system failure probability 
user-specified number of digits accuracy 
number of basic events in fault tree 


The FTC Algorithm 

In this section, two versions of the fault-tree solution algorithm are presented. First, the 
basic algorithm is discussed along with a proof of its error bound. Second, a slightly more 
efficient algorithm (which is used in FTC V2) is given along with its error bound. In order 
to facilitate the presentation of the FTC algorithm, some special notation is defined. Let V*. 
represent a vector with k l’s followed by n — k 0’s: 


V k = ( 1 1 1 ... 1 1 0 0 ... 0) 
k 


and let 

Pi = Probability event Ei occurs (i.e., P(e* = 1)) 
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P(V k ) = Probability that vector Vj. occurs 

= n^ ft (i -Pi) 

i=l j—k~ 1-1 

^(u) = number of l’s in a vector 

Nj = number of vectors which caused system failure thus far 
N a = total number of vectors which have been analyzed thus far 
Sf = current estimate of system failure probability 
d = user-specified number digits accuracy 

n = number of basic events in fault tree 
Basic Algorithm 

The program processes vectors until the first vector that causes system failure is encountered. 
Using the probability of failure of this vector as an estimate of the probability of system failure 
P s y S , the program calculates parameters 7 and 0. (The details of this calculation are explained 
subsequently.) The program continues processing vectors until a vector v is encountered with 7 
l’s or more (i.e., ^>(v) > 7.) A cumulative sum of the probabilities of occurrence of the vectors 
which cause system failure is stored in the variable Sf. The program also skips over all vectors 
whose probability of occurrence is less than fi. The algorithm is as follows: 

v = (0 0 0... 0);5/ = 0;JV) = 0 
REPEAT 

IF v causes system failure THEN 
N f = N f + 1 
calculate P(v) 

Sf = S f + P(v) 

IF Nf = 1 THEN 

CALL CUTLEVEL(5/,7,fi) 

ENDIF 

IF P(v) < fl THEN CALL PRUNER(u) ENDIF 
ENDIF 

IF ('F(u) > 7) THEN GO TO 100 ENDIF 
LASTu = v 
v = NEXTvector 
UNTIL LASTt> = (1 1 ... 1) 

100: Psys = Sf 

SUBROUTINE CUTLEVEL(5/, 7, f2) 

k = n 

SUM = 0.0 

BOUND = S'/ [0.5 x 10~ d ] (*d = desired # digits accuracy*) 

REPEAT 

ERRGAM = SUM 
SUM = SUM -I- (J)P(V r k ) 
k = k — 1 

UNTIL SUM > BOUND 
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7 = 4 + 2 
<?7 = Z ffl 

k = 0 

n _ BOUND - ERRGAM 
““ (c 7 - Na) 

END 

SUBROUTINE PRUNER(u) 

IF v is of FORM (zi x 2 ... Xj 0 1 1 ... 1 1„ 0 0 ... 0J THEN 

k * 

v = (xi x 2 ... x,- .0 0 0 ... 01 1 ... 1 1 ) 
z + 1 Jfc 

ENDIF 

END 


Subroutine CUTLEVEL calculates the parameters 7 and fi. The calculation of 7 is based 
on the fact that the probability P(Vjt) > the probability of occurrence of any other vector with 
k l’s. Since there are (£) vectors with k l’s, the total error in ignoring the contribution of 
vectors with 7 or more l’s is 


n 


n 



P(Vk) 


CUTLEVEL determines the smallest value for 7 such that this error is negligible. CUTLEVEL 
also determines a probability Cl that is small enough such that all vectors whose probability of 
occurrence is less than it can be ignored. 

Subroutine PRUNER just moves the rightmost cluster of 1-bits (i.e., a contiguous section 
of l’s) all the way to the right. For example, suppose that FTC is being used to solve a model 
with 6 basic events. The following is the order (down the columns) that the vectors would be 
generated (starting at (1 1 0 0 0 0) ): 


(1 1 0 0 0 0 ) 
(1 0 1 0 0 0 ) 
(1 0 0 1 0 0 ) 
(1 0 0 0 1 0 ) 
(1 0 0 0 0 1 ) 
(0 1 1 0 0 0 ) 
( 010100 ) 
(010010) 
(0 1 0 0 0 1 ) 


(0 0 1 1 0 0 ) 
(001010) 
(0 0 1 0 0 1 ) 
(0 0 0 1 1 0 ) 
(0 0 0 1 0 1 ) 
(0 0 0 0 1 1 ) 
(1 1 1 0 0 0 ) 
(110 10 0 ) 
(110 0 10 ) 


(1 1 0 0 0 1 ) 
(10 110 0 ) 
(10 10 10 ) 
(10 10 0 1) 
(10 0 110) 
(10 0 10 1) 
(1 0 0 0 1 1 ) 
(011100) 
(011010) 


(011001) 

(010101) 

(010011) 

(001110) 


Subroutine PRUNER 


skips from (1 0 0 1 0 0) to (1 0 0 0 0 1) 

(1 0 0 1 1 0) to (1 0 0 0 1 1) 

(0 0 1 0 1 0) to (0 0 1 0 0 1) 


It is demonstrated subsequently that subroutine PRUNER only skips over vectors with 
probability of occurrence less than the argument v. Since PRUNER is only called when 
P(v) < Cl, PRUNER only skips vectors with probability less than Cl. 

Function NEXTvector generates the next vector Nv given the current vector v by the 
following algorithm: 
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FUNCTION NEXTvector(u) 

IF right-most bit of v is a 0 THEN 

FROM v = ( x\ X 2 ... xj 1 0 ... 0) generate 
Nv = ( xi X 2 ... xj 0 1 ... 0) 

ELSE IF all 1-bits are all the way to the right THEN 
Nv = (1 1 ... 1 0 ... 0) with 1 more 1-bit than v 
ELSE 

k = number of 1-bits in rightmost cluster of l’s in v 
z = number of 0-bits preceding the rightmost cluster of 1-bits in v 

FROM v = ( x\ X 2 ... Xj 10 ... 0, 1 1 ... 1 ) generate 

* k 

Nv = ( xi X 2 ... Xj 0 ,1 1 ... 10^0 ) 

k + 1 z — 1 

ENDIF 

NEXTvector = Nv 
END 

Thus, NEXTvector generates the next vector by moving the rightmost 1-bit to the right until 
it reaches the last position. If all the 1-bits are all the way to the right, then a new vector is 
created with one more 1-bit than the previous vector. Otherwise, it then alters the order of 
the lower bits and then continues to move the rightmost bit to the right. 

Justification for the Basic Algorithm 

In this section a bound on the error due to pruning is derived. Several lemmas are first 
given which simplify the error bound analysis. 

Lemma 1. If p a > 0 and 1 > pp > 0 then 


Pa > P/3 implies 


- Pa) 
Pa(l -Pp) 


< 1 


Proof: 


Pa >P0 
1 “ P0 > 1 - Pa 
Pa(l~Pp) >P/?(1 - Pa) 

l > gMj ~P Q ) 

“ Pa(l -Pp) 


Lemma 2. If 'F(u) = k then P(Vk) > P(v). 

Proof: Suppose that v differs from Vj. in only one place; that is, suppose that the a 1-bit 
in Vj. is located at (3 in v: 
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P(v) = 


The argument is easily generalized for more than one displaced 1-bit. 

Lemma 3 . Subroutine PRUNER only skips vectors with probability <fi. 

Proof: As shown earlier, the program generates vectors in a specific order. If v is of form 
{x\ X2 ... Xj 0 1 1 1 10 0 ... 0 ), then PRUNER generates the next vector Nv as follows: 

k z 

Nv = ( x\ X2 ... Xj 0 0 0 ... 01 1 1 1 ) 

2+1 k 

From the function NEXTvector it can be seen that all the vectors between v and Nv are of 
the following form: 

Nv = (xi X 2 ... Xj 0 2 /i ... Vn-j-l) 

where k of the y-bits are l’s and z of the y-bits are 0’s. (This can be seen by noting that 
NEXTvector has three branches in the IF statement. The first and third branches only generate 
vectors of the form above. The second branch is only executed when all the l’s are already all 
the way to the right, so it does not apply.) It is obvious that any vector with the N v- form 
can be derived from v by merely moving bits to the right. Thus, subroutine PRUNER skips 
vectors which can be generated from the current one by merely moving 1-bits to the right. 

To see that moving a 1-bit to the right results in a vector with lower probability, let v 
represent the original vector and v f represent the new vector. Let a be the location of the 1-bit 
which will be moved to location (3 which is to the right of a (i.e., j3 > a): 


]^[ Pi IJ (l-Pj)P/j(l-fla) 


i - 1 j=k + 1 


P0 (1 ~Pa) 


n Pi n (! - pj ) 

i=l j~k+l 
Pa( 1 ~Pp) 

Z»±p(v t ) 

Pa(l-P(,Y V k ’ 

P(V it) (By lemma 1) 


Thus, 


n 

P(v) = n (eiP(Ei) + [1 - P(E,)\ [1 - ei ]) 

1=1 

n 

P(v) = n (eiP(Ei) + [1 - P(E t )] [1 - e;]) P(E a ) [l - P(E 0 )\ 

1=1 

m 

n 

P(v’) = J] ( ei P(Ei) + [1 - P(E t )] [1 - e,)) P(E 0 ) [1 - P(E a )\ 

1=1 

&** 


P(v') = P(v) 


P(Ep ) |1 - P(E a )\ 
P(Ea)[ 1 - P(E 0 )\ 


<P(v) 


The last step follows from P(E a ) > P(Ep) and lemma 1. Since PRUNER is only called when 
the initial vector v has probability of occurrence < fi , all the vectors skipped have probability 
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Pruning error bound. The algorithm utilizes two forms of pruning. The first form throws 
away all vectors v such that > 7 . A bound on the error which can result from such 

pruning, ERR 7 , is easily obtained. From lemma 2 and the fact that there are (jj) vectors with 
k 1 -bits, we have 

E P(v) < ERRy = £ (?) P(V k ) 
veS k = 7 V / 

where S = > 7 }. 

But 7 is chosen such that 

E (f)P(V k )<S f [0.5xl0- d } 

k = 7 V / 

(In fact 7 is the smallest positive integer which satisfies this equation.) Thus, 

ERRy < 5/[0.5 x KT d ] 

The second form of pruning eliminates small vectors before ^(u) reaches 7 . First D is either 
zero in which case no additional pruning is done or 

BOUND - ERRGAM 
C 7 - N a 

where 

7-1 

<? 7 =£ 

k = 0 

BOUND = 5/[0.5 x l(T d ] 

ERRGAM = E] ( l jWfc) = ERRy 
k = 7 V / 

Since C-y — Total number of vectors with 'i'(v) < 7 , and N a is the number of vectors already 
analyzed, (C\ — N a ) is an upper bound on the number of vectors which can be thrown 
away. Lemma 3 demonstrated that subroutine PRUNER only skips vectors with probability of 
occurrence < ft. Thus, a bound on the error due to the second type of pruning, ERRfj, is 



ERR n = ( C y -N a )*n 

= BOUND - ERRGAM 
= BOUND - ERR, 

The total error due to pruning e is bounded by ERRy + ERRq: 

e < ERRy + ERR n = BOUND = S f [0.5 x 10 _d ] 


SinC6 i Sj ^ Tgyg, 


e < P sys [ 0.5 x l(T d ] 


or 


Thus, there are d digits accuracy. 


— < 0.5 x 10 _d 

Pays 
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More Efficient Algorithm 

The FTC V2.1 algorithm is more efficient than the basic algorithm presented in the previous 
section. The increased efficiency is obtained by recalculating 7 and 11 periodically. Since both 
7 and fi are functions of P sys and N a . improved values can be obtained as the computation 
proceeds. However, this must be done carefully in order to guarantee d digits accuracy. 

v = (0 0 0 ... 0); S f = 0; N f = 0; N a = 0; 

NEXTCUT = 1; PRUNED_SOME = FALSE; ERROMG = 0; 
TOTAL_THROWN_AWAY = 0; 

REPEAT 

IF v causes system failure THEN 
N f = N f + 1 
calculate P(v) 

S f = S f + P(v) 

IF Nf = NEXTCUT THEN 
CALL CUTLEVEL(5/, 7, ft) 

NEXTCUT = NEXTCUT*10 
ENDIF 

IF P{v) < ft THEN CALL PRUNER(u,ft) ENDIF 
ENDIF 

IF (O'(u) > 7) THEN GO TO 100 ENDIF 
LASTu = v 
v = NEXT vector 
UNTIL LASTv = (1 1 ... 1) 

100 : Psys = 

FUNCTION CUTLEVEL(£f , 7, ft) 

IF PRUNED_SOME THEN 

TOTAL_THROWN_AWAY = TOTAL_THROWN_AWAY + ERROMG 
ENDIF 

k = n 

PF = 0.0 
SUM = 0.0 

BOUND = Sf [0.5 x 10 -d ] { d = desired # digits accuracy } 

IF BOUND > TOTAL_THROWN_AWAY THEN 

ROOMLEFT = BOUND - TOTAL_THROWN_AWAY 
ELSE 

RETURN 

ENDIF 

REPEAT 

ERRGAM = SUM 
SUM = SUM + (£) P{V k ) 
k = k — 1 

UNTIL SUM > ROOMLEFT 
7 = k + 2 
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r> _ ROOMLEFT - ERRGAM 

u _ 07— 

ERROMG = (C-y -N a )*Q 

END 

SUBROUTINE PRUNER(u, ft) 

PRUNED_SOME = TRUE 
IF v is of FORM (0 0 ... 0 1 1 ... 1 1 0 0 ...) THEN 
v = (0 0 ... 0 1 1 1 1 1) 

ELSE 

SKIP_A_FEW(u) 

ENDIF 

END 

Derivation of Error Bound for the More Efficient Algorithm 

The only difference between the original algorithm and the more efficient algorithm is that 
the more efficient algorithm recalculates 7 and ft as the computation proceeds. The variable 
BOUND represents the total amount of probability that can be thrown away and still have d 
digits accuracy. In the basic algorithm, the difference between BOUND and ERRy represents 
the amount of extra probability that is not used by the 7-type pruning. This extra probability 
enabled the additional 11- type pruning. When the program recalculates 7 and ft, it is necessary 
that the error due to previous pruning be taken into consideration. (Clearly, since 7-type 
pruning terminates the program, only the previous ft- type pruning must be considered.) To 
illustrate, let 7' and ft ' represent the first values and 7 and ft represent the new values to be 
calculated. Also let BOUND(i) be the value of BOUND used for the ith calculation: 

BOUND(z) = S f * (0.5 x 10 -<i ] 


Clearly, 

BOUND = P sy s(0.5 x 10 -d ] > BOUND(i) (for all i ) 

If no pruning was done prior to the second calculation, then the original method would work 
fine. But, if pruning was done prior to the second calculation of 7 and fi, then there are three 
sources of error which must be accommodated. The following must hold: 

ERRy + ERRn + ERRjy, < P sys [0.5 x 10" d ] 

In general, if ERr|(' represents the error bound on the amount of pruning due to the ith value 

of ft, say ftW, and there were r calculations of ft (i.e., r calls to subroutine CUTLEVEL), then 
the following must hold: 


ERRy + Y, ERRq° < P sys [0.5 X 10" d ] 
i— 1 

The program maintains this summation X) ERR^ in the variable TOTAL_THROWN_AWAY(r). 
The parameter is calculated as follows: 


(i) _ ROOMLEFT - ERRy 
C-y N a 

BOUND(i) - TOTAL_THROWN_AWAY (i - 1) - ERRy 

Cy ~ N a 
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Since BOUND(i) < BOUND: 


m ^ BOUND - ERFty - TOTAL_THROWN_AWAY(i - 1) 

^ ~ C-y-N a 

Thus, a bound on the error due to Q^-pruning denoted ERR^ is: 

ERRjf = nW(Cy - N a ) = [BOUND - ERR, - TOTAL_THROWN_AWAY (i - 1)] 
Rearranging terms: 

ERR^ } + TOTAL_THROWN_AWAY (i - 1) = BOUND - ERRy 

or 

i 

ERRy + Y ERR n } = BOUND 

3 = 1 

This equation is true for all in particular i = r: 

T 

ERRy + Y ERR fi } = BOUND 

j= 1 

The left side is the sum of the error bounds for all the pruning that could possibly take place. 
Thus, the total error in pruning e is bounded: 

e < BOUND = P sy s[0.5 x 10~ d ] 

or 

— < 0.5 x 10 _rf 
Ays 

Thus, there are d digits accuracy. 

Domain of Efficiency 

Since the program processes vectors in order of increasing number of basic-event failures, it 
is efficient for systems which have a failure mode involving a small number of basic events. Even 
very large fault trees can be solved, if they possess dominant failure vectors containing only a 
few failed basic events. This type of fault tree is found in models of fault-tolerant computer 
system architectures. For example, if the system is constructed using threefold redundancy, 
the dominant failure vectors will contain only two basic-event failures. 

Concluding Remarks 

A new algorithm for solving fault trees has been developed along with an error bound on 
its accuracy. This algorithm is the mathematical basis for a new reliability analysis program 
called the Fault-Tree Compiler (FTC). The solution algorithm is especially efficient for the 
types of fault trees used to model fault-tolerant system architectures. The FTC program has 
four major strengths: (1) the input language is easy to understand, (2) automatic sensitivity 
analysis is allowed by varying a parameter over a range of values, (3) the answer provided by 
the program is precise to within a user-specified level of accuracy, and (4) the program uses a 
pruning technique which significantly reduces the execution time of the program. Additionally, 
the use of the hierarchical fault-tree capability can reduce model complexity. 

NASA Langley Research Center 
Hampton, VA 23665-5225 
May 2, 1989 
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Appendix 


Error Messages 

Error and warning messages are listed in alphabetical order, with messages beginning with 
a symbol (i.e., =, ], ;) listed at the end. 

ALREADY DEFINED AS A GLOBAL CONSTANT — The value defined has been defined pre- 
viously as a global constant. 

ALREADY DEFINED AS A GATE OUTPUT OR EVENT — The value has been defined pre- 
viously as a gate output or event. 

ALREADY DEFINED AS A LOCAL CONSTANT — The value has been previously defined as 
a local constant. 

ALREADY DEFINED AS A RESERVED WORD — The value defined is an FTC reserved 
word. 

ALREADY DEFINED AS A SUBTREE — The value defined has previously been defined as a 
subtree title. 

ARGUMENT TO EXP FUNCTION MUST BE < 8.80289E+01 — The argument to the EXP 
function is too large. 

ARGUMENT TO LN OR SQRT FUNCTION MUST BE > 0 — The LN and SQRT functions 
require positive arguments. 

ARGUMENT TO STANDARD FUNCTION MISSING — No argument was supplied for a 
standard function. 

COMMA EXPECTED — Syntax error; a comma is needed. 

CONSTANT EXPECTED — Syntax error; a constant is expected. 

DIVISION BY ZERO NOT ALLOWED — A division by 0 was encountered when evaluating 
the expression. 

EVENT PROBABILITY > 1 — The event probability was evaluated to a value greater than 1 . 
EVENT PROBABILITY < 0 — The event probability was evaluated to a value greater than 1. 

EXP FUNCTION OVERFLOW — The argument to the EXP function is too large. The value 
of the argument must be less than 8.80289E+01. 

EXPRESSION CANNOT CONTAIN THE VARIABLE — The variable cannot be defined in 
terms of itself. 

EXPRESSION OVERFLOW — The value of the expression caused arithmetic overflow. 

FILE NAME EXPECTED — Syntax error; the file name is missing. 

FILE NAME TOO LONG — File names must be 80 or less characters. 

IDENTIFIER EXPECTED — Syntax error; the file name is missing. 

IDENTIFIER NOT DEFINED — The identifier entered has not yet been defined. 

ILLEGAL CHARACTER — The character used is not recognized by the FTC program. 

ILLEGAL LN OR SQRT ARGUMENT — The LN and SQRT functions require positive 
arguments. 

ILLEGAL STATEMENT — The command word is unknown to the program. 

ILLEGAL NUMBER OF INPUTS TO GATE — The AND and OR gates may have an arbi- 
trary number of inputs; however, the INVERT gate must have only one input, the EXCLUSIVE 
OR gate must have two inputs, and the M OF N gate must have the number of inputs such 
that N-M > 0. 

INPUT ALREADY DEFINED AS A VARIABLE — The gate or variable defined in the state- 
ment has already been defined globally as a variable. 

INPUT LINE TOO LONG — The command line exceeds the 100-character limit. 
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INTEGER EXPECTED — Syntax error; an integer is expected. 

INV GATE MUST HAVE ONLY 1 INPUT — Only one input is allowed for the INVERT gate. 
MUST BE IN “READ” MODE — The INPUT command can be used only in a file processed 
by a READ command. 

NOT A VALID EVENT — Events used as gate inputs must be previously defined as a basic 
event or the output from a previous gate. 

NO GATES IN FAULT TREE — The fault tree contains no gates. 

NUMBER TOO LONG — Only 15 digits/characters allowed per number. 

ONLY 1 VARIABLE ALLOWED — Only one variable can be defined per complete fault tree. 
REAL EXPECTED — A floating point number is expected here. 

SEMICOLON EXPECTED — Syntax error; a semicolon is needed. 

SUB-EXPRESSION TOO LARGE, i.e. > 1.70000E+38 — An overflow condition was encoun- 
tered when evaluating the expression. 

SUBTREE RESULT NOT FOUND — The fault tree was unable to calculate subtree top event 
probabilities. Check for syntax errors in the subtrees. 

TOP NOT REACHABLE — No combination of events led to the top event in the system tree. 

UNKNOWN GATE TYPE — Verify that the gate type is AND, OR, INV, XOR, or m OF < >. 
See the section “Gate Definition” of this paper for more information. 

VARIABLE MUST BE DEFINED AT GLOBAL LEVEL — Variables may NOT be defined 
within subtrees; variables must be defined globally. 

VMS FILE NOT FOUND — The file indicated on the READ command is not present on the 
disk. (Note: make sure your default directory is correct.) 

WARNING: EVENT PROBABILITY = 1 — The event probability was evaluated to a value 
equal to 1. Although the answer given by the program is still correct the input may not be 
what was intended. 

WARNING: EVENT PROBABILITY = 0 — The event probability was evaluated to a value 
equal to 0. Although the answer given by the program is still correct the input may not be 
what was intended. 

*** WARNING: VARIABLE CHANGED TO A CONSTANT! PREVIOUS EVENTS MAY 
BE WRONG — If previous basic events have been defined using a variable and the variable 
name is changed, inconsistencies may appear in the results. 

*** WARNING: SYNTAX ERRORS PRESENT BEFORE RUN — Syntax errors were present 
during the model description process. They may or may not have been corrected prior to the 
run. 

*** WARNING: RUN-TIME PROCESSING ERRORS — Computation overflow occurred dur- 
ing execution. 

*** WARNING: REMAINDER ON INPUT LINE IGNORED — The information on the rest of 
the input line is disregarded. 

-- EXPECTED — Syntax error; the = operator is needed. 

] EXPECTED — A right bracket is missing in the expression. 

< EXPECTED — Syntax error; the < symbol is needed. 

) EXPECTED — A right parenthesis is missing in the expression. 

( EXPECTED — A left parenthesis is missing in the expression. 


34 




References 

1. Lee, W. S.; Grosh, D. L.; Tillman, F. A.; and Lie, C. 
H.: Fault Tree Analysis, Methods, and Applications — A 
Review. IEEE Trans. Reliab., vol. R-34, no. 3, Aug. 1985, 
pp. 194-203. 

2. Bavuso, S. J.; and Petersen, P. L.: CARE III Model 
Overview and User’s Guide (First Revision). NASA 
TM-86404, 1985. 


3. Henley, Ernest J.; and Kumamoto, Hiromitsu: Reliability 
Engineering and Risk Assessment. Prentice- Hall, Inc., 
c.1981. 

4. Cohen, G. C.; Lee, C. W.; Brock, L. D.; and Allen, 

J. G.: Design/ Validation Concept for an Integrated 

Airframe/ Propulsion Control System Architecture 

(IAPSA II). NASA CR-178084, 1986. 


35 


N/Y5A Report Documentation Page 

Nalional Aeronautics and i 

Space Administration 

1. Report No. 2. Government Accession No. 

NASA TP-2915 

3. Recipient’s Catalog No. 

4. Title and Subtitle 

The Fault Tree Compiler (FTC) 
Program and Mathematics 

5 Report Date 

July 1989 

6. Performing Organization Code 

7. Author(s) 

Ricky W. Butler and Anna L. Martensen 

8. Performing Organization Report No. 

L- 16529 

9. Performing Organization Name and Address 

NASA Langley Research Center 
Hampton, VA 23665-5225 

10. Work Unit No. 

505-66-21-01 

11. Contract or Grant No. 

12. Sponsoring Agency Name and Address 

National Aeronautics and Space Administration 
Washington, DC 20546-0001 

13. Type of Report and Period Covered 

Technical Paper 

14. Sponsoring Agency Code 


15. Supplementary Notes 

Ricky W. Butler: Langley Research Center, Hampton, Virginia. 

Anna L. Martensen: PRC Kentron, Inc., Aerospace Technologies Division, Hampton, Virginia. 


16. Abstract 

The Fault- Tree Compiler program is a new reliability tool used to predict the top-event probability 
for a fault tree. Five different gate types are allowed in the fault tree: AND, OR, EXCLUSIVE OR, 
INVERT, and m OF n gates. The high-level input language is easy to understand and use when 
describing the system tree. In addition, the use of the hierarchical fault tree capability can simplify 
the tree description and decrease program execution time. The current solution technique provides 
an answer precisely (within the limits of double precision floating point arithmetic) within a user- 
specified number of digits accuracy. The user may vary one failure rate or failure probability over a 
range of values and plot the results for sensitivity analyses. The solution technique is implemented 
in FORTRAN; the remaining program code is implemented in Pascal. The program is written to 
run on a Digital Equipment Corporation (DEC) VAX computer with the VMS operation system. 


17. Key Words (Suggested by Authors(s)) 

Fault tree 
Reliability analysis 
Reliability modeling 
Fault tolerance 


18. Distribution Statement 

U nclass ified — U nlimit ed 




Subject Category 62 

19. Security Classif. (of this report) 

Unclassified 

20. Security Classif. (of this page) 

Unclassified 

21. No. of Pages 

38 

22. Price 

A03 


NASA FORM 1626 OCT 86 NASA-Langley. 1989 

For sale by the National Technical Information Service, Springfield, Virginia 22161-2171 








